Rachel stops to tie the shoelaces on her new sky-blue high-tops. Admiring the shoes’ style, her friend, Grace, asks Rachel where she got them so she can buy a pair for herself. Later that day, Grace searches the phone book for the store’s number and asks her parents if she can borrow some money and for a ride to the shop. Her parents agree, but when she calls to check the store hours, Grace finds out they’re closed for the weekend. The following Monday, she arrives at the store and eagerly grabs the shoes she wants from the shelf. The shop owner takes her money and provides a carbon-copy receipt from a two-layer pad, keeping the other copy to record in a written journal.
With the technology available today, it is hard to believe that this was how many retail establishments conducted business in the ‘80s and ‘90s. Modern-day conveniences mean Grace could have gotten that new pair of shoes ordered the moment she asked her friend about them, with next-day delivery bringing them right to her front door.
So, what’s changed? At the base of this transaction, not much. Goods are purchased and funds are received. On the back end, the retailer records the transaction in their journal. Some may say it was more complicated 30 or 40 years ago, given the speed at which transactions happen now. But when looking at the multiple points of contact needed for ordering that same pair of shoes today, the number of considerations from a risk and controls standpoint starts to stack up quickly.
Those considerations are critical from an auditing perspective. Auditors have had to transition from the former method of tying out cash to purchase orders, invoices and inventory to a more modern method of understanding controls around information generated by a multitude of systems. Adding further complexity, the current landscape has added services that do not sit at the clients being audited. A recent report found that more than 65% of U.S. companies currently utilize cloud services for infrastructure. Add to that the fact that an increasing number of companies are now using third-party services for order fulfillment, transaction processing, and/or other key business functions, and the risks auditors need to consider have grown substantially.
There are other reasons auditing was simpler before the introduction of the technology used today. The volume of business has grown, meaning companies are processing more transactions than ever before. Risk from third parties and IT were just entering the conversation as well, whereas the current business landscape requires management and auditors to look at the different interaction points for all transactions to develop a risk profile. For example, one major U.S. retailer with 31.4 million units sold in 2004 saw that number increase to recorded 225 million in 2022. Averaged out per day, that’s 86,000 units vs. 616,000 units, or roughly seven units per second. So how do auditors account for all of that information? Is it enough to take the sales receipts and tie back a sample of 25? Auditors must consider whether traditional substantive procedures, such as sampling sales receipts, remain sufficient in highly automated environments.
In 2019 (effective December 15, 2021), the International Auditing and Assurance Standards Board enacted ISA 315, which stated that risk assessment should play a stronger part of auditing any entity and that IT is embedded in most everything companies do. This was later reinforced by the AICPA Accounting Standards Board’s release of SAS 145 in 2021 (effective December 15, 2023). In some ways, this simply aligned the IAASB and ASB with standards such as the PCAOB and merely stated what many already knew. It was one of the first times the heavy reliance of IT on a risk assessment was brought to the forefront of the standards.
Are Substantive Procedures Alone Sufficient?
In the example story above, the shoe retailer’s auditor likely didn’t worry whether testing substantively was sufficient. Several decades ago, the auditing process was simpler. By taking enough purchase orders and tying them out to sales receipts, then determining what opening and ending inventory was via a physical count, auditors could draw conclusions on the financials.
In contrast, today’s retailers typically utilize online revenue and inventory systems for customer orders, resulting in increased transaction volumes and greater complexity due to the movement of inventory across multiple warehouses. The number of workers retailers employ is also much larger than in the past— combined with increased scale — illustrate the amount that retailers, and subsequently auditors, must rely on systems for complete and accurate processing.
The question that auditors need to answer from the standards AU-C Section 315 (aka “SAS 145”), ISA 315 and PCAOB Auditing Standards is whether in this environment (and similar complex environments) substantive testing alone would be sufficient to conclude that the financial statements are free from material misstatements.
It can be tempting for auditors to jump into procedures before looking at the holistic picture of the client, their processes, and their risk. Relying on prior year audit approaches ("SALY” - same as last year, and “JELLY” - just exactly like last year) may not adequately address the unique risks present in today’s IT-driven environments and can result in noncompliance with current standards. Auditors must make a judgment call if it appears there is enough testing that can be done back to source documentation (outside of the system) to form an opinion on the financial statements.
Risks Arising From IT
While AU-C Section 315 is relevant for many companies, especially nonpublic ones, the PCAOB also offers insights into what they have found in their most recent reports for public accounting companies. Some areas that have been particularly challenging include revenue recognition, inventory, and financial statements in close process. Each of these areas is almost always supported by IT systems and processes. In a recent Spotlight report (August 2024), the PCAOB cited risk assessment and considerations for IT as some of their top areas of concern. If audit companies are still struggling to get this right on the public companies, it is reasonable to think the private company audits also require enhancements in their procedures.
5 Steps to Apply AU-C Section 315 in Relation to IT
In light of these challenges, there are several important areas to consider when it comes to the standards and how they relate to IT. This includes but is not limited to:
1. Know the Entity
Auditors should take the time to understand the entity they are auditing and recognize that IT likely is a part of each of the key business processes. Understanding the landscape of the control environment is not complete without understanding how the entity treats IT. To assess that, consider these questions:
- Is there an IT function? Is it in-house, outsourced, or a combination of both?
- How integrated is IT within management?
- How is IT incorporated into board and audit committee reporting?
- Are there policies and procedures in place? Is there a formal organizational structure for IT?
- What are the cybersecurity risks that need to be considered?
- How structured is the IT environment? Are changes made frequently?
- What is the volume of transactions handled by the IT systems?
- Are emerging technologies such as distributed ledgers, cryptocurrencies, and AI in play?
2. Identify Processes and Relevant IT Components Supporting Them
After identifying the significant accounts and classes of transactions that feed them, auditors then discuss and/or walk through the processes with the client to understand how they work and what risks are involved. As the client details their working process through the transactions, auditors should keep a curious mind and ask probing questions about where the transaction initiates and gets processed. Is it starting from an application? Does the application feed a back-end system that may consolidate information? Is there any manual manipulation throughout, or does the transaction happen completely within the system all the way through to the general ledger? Keep an eye out for the common applications seen at many businesses, and remember that if a third-party service is used, there’s likely a third-party application (or multiple applications) supporting it, such as:
- Order entry or online order entry applications
- Inventory management applications
- Purchasing applications
- Payroll applications
- General Ledger
- Enterprise Resource Planning (ERP)
- Data warehouses
- Report writers
- Analytics tools
- Third-party applications
When auditing an entity that uses third-party applications, auditors should note that they could still be relying on controls even when they aren’t “taking a controls approach” on the audit or “utilizing controls to reduce substantive testing.” It’s important for auditors to question whether there are controls at a service provider or reports/data coming from that service provider that they are using for audit testing. If so, the auditor should obtain a controls report (such as a SOC 1 Type 2), evaluate it, and test the entity’s controls around it in order to use those controls and reports as part of the audit procedures.
3. Form an Approach
Once the auditor understands the key processes and systems, the next step is to consider any risks and use those to help formulate an audit plan. If the process only contains a few automated steps and transaction volume is low, a more substantive approach can be used, especially if transactions can be tied back to source data outside of the system. If the opposite is true, however, the auditor should consider what controls in the system may be relevant. Auditors must also factor in any key reports/data used for testing or in management controls, often referred to as information produced or provided by the entity (IPE), and whether that IPE’s generation is dependent on an application. Auditors should be conscious of mistakenly performing substantive testing but still tying information back to a system or application that’s not in scope (instead of back to source documentation outside the system).
4. Identify the Direct Controls
While evaluating the client’s process, auditors should start to note risks and where errors could occur. During this phase, the auditor must begin to identify the controls and meet clients where they are. In other words, auditors must recognize and acknowledge the automated controls clients often use, and that there may not be a traditional paper trail. Auditors must dig deeper to find out what the system is doing to prevent the need for such review or manual signoff. In some cases, the manual process of signing off or approving transactions is happening directly in the system, so it’s necessary to consider what the actual control is. Does the system automatically approve certain entries? Is signoff from a manager required for certain thresholds? Is an automated reconciliation of transactions occurring with an outside party? There is nothing wrong with the client having manual controls, but -- more often than not -- there are also system-run controls that would be simpler and more reliable to use for the audit approach.
After understanding this information, auditors will likely be able to determine whether or not substantive procedures would be sufficient for certain areas and if controls are manual or automated.
5. Test the ITGCs
After compiling the applications used in the relevant audit processes and pairing them with the pertinent automated controls and IPE, auditors must assess the IT general controls (ITGC), which are vital for the broad, continuous operation of controls overall. Testing the design, implementation, and operating effectiveness of ITGCs forms the basis for relying on process controls throughout the period.